Frequently asked questions regarding Questionnaire Copilot Basic and Advanced.
For background on QC, see the QC product announcement.
Q: What are the differences between QC Basic and QC Advanced?
A: QC Basic - AI scans your knowledge base (KB) of previous Q&As for answers. Free to start. QC Advanced - Has the ability to answer any question based on your GRC platform’s content, like policies, controls, and evidence.
Q: How can I get the most out of QC Basic and QC Advanced?
A: Trustero recommends using them in complementary roles. Use QC Advanced for most scenarios and rely on QC Basic as a fallback.
This allows you to have as small of a KB as possible, which means you have fewer Q&As that will get out of date.
Here's an example scenario: some questionnaires ask about cyber security insurance coverage, which is often not something that's covered by a company's policies, controls or evidence. So in that case, Trustero recommends adding it to the knowledge base in QC Basic. Questions about encryption or employee performance reviews, on the other hand, are covered by policies and controls, so there's no need to add those to the KB.
Q: Q&A KBs inevitably accumulate information that will eventually be out of date. How does QC handle that?
A: QC utilizes multiple Q&A knowledge bases. These come from: (1) When you upload your own Knowledge Bases, and (2) When you choose to incorporate answers from a completed questionnaire as a new Knowledge Base. These KBs stack on top of each other and as QC answers new questions, it will detect if there are conflicting answers present in the KBs and reply with the most recent answer(s). This means it replies with the most recent, up-to-date information. This enables QC to give up-to-date answers with minimal KB maintenance required by users.
Q: What else does QC do to make sure it's only providing up-to-date information?
A: QC Advanced will only reference your most recent controls, policies and evidence. Old, outdated documents will not be referenced. It only references the latest items in your platform.
A: There are two ways to update what's in your knowledge base:
-
- Proactive: you can download a knowledge base, update items, and then re-upload the Q&As that you want to change.
- Reactive: if you see an answer from QC that is not correct, you can edit the answer and then choose to add it back into the knowledge base.
Q: When I add a new Q&A to my knowledge base from an accepted questionnaire answer, what happens?
A: QC creates a new KB per questionnaire which gets added to the collection of KBs. When answering new questionnaires, the most recent Q&As are used in the event there are conflicting answers.
Q: What happens if the same question appears in the KB multiple times?
A: QC will rely on the answer in the most recent/highest priority KB. Older Q&As are ignored
Q: How do I see the contents of my KBs?
A: Download them using the KB button on the Questionnaire Copilot menu.
Q: How do I reprioritize my KBs?
A: The best option is to download the KBs, consolidate them, and re-upload them into Trustero. QC Advanced users can remove old knowledge bases, then load a questionnaire and reply on QC Advanced to develop new answers, which will be added to a new KB when they are accepted.
Q: Can individual KBs be deleted?
A: Yes. Use the navigation bar to go to Questionnaires > Knolowedge Base > ... > Delete.
Q: How close does a question have to be in order to override a previous question?
A: if the underlying meaning of the question is the same, then it will match, even if the wording is different.
Q: What are some ways to make sure my KB is always up to date?
A: You can make sure to refresh your KB regularly. Refreshing every 90 days works for many organizations. Delete old KBs and upload a new one with up-to-date answers.
Q: Can't I just make my own version of this by uploading my policy documents and critical plans and other records to a Large Language Model (LLM) and asking it questions?
A: You can certainly use an LLM this way to ask it questions about your documents, but it won't be able to do some critical things that QC can:
- Include information from controls and the automated evidence gathered by receptors. This will enable you to find out how things are actually operating, not just how the policies say they should be operating.
- Understand the interrelationships between policies, controls, evidence and tests, which can be crucial when answering a question. That context influences the answers QC provides. An LLM that is looking at numerous documents may incorrectly return information from one document that is actually irrelevant for answering the question when considered in the proper GRC context.